1. Home
2. Support
3. Security advisories

Security bulletin

Security update available for LiveCycle Data Services, LiveCycle ES, and BlazeDS

Release date: June 14, 2011

Last updated: July 11, 2011

Vulnerability identifier: APSB11-15

CVE number: CVE-2011-2092, CVE-2011-2093

Platform: All Platforms

Summary

Two important security vulnerabilities have been identified in LiveCycle Data Services and BlazeDS. These vulnerabilities affect LiveCycle Data Services 3.1, 2.6.1, 2.5.1 and earlier versions for Windows, Macintosh and UNIX, and LiveCycle 9.0.0.2, 8.2.1.3, 8.0.1.3 and earlier versions for Windows, Linux and UNIX. These vulnerabilities also affect BlazeDS 4.0.0 and earlier versions. Adobe recommends users update their product installations using the instructions provided in the "Solution" section below.

Affected software versions

• LiveCycle Data Services 3.1, 2.6.1, 2.5.1 and earlier versions for Windows, Macintosh and UNIX
• LiveCycle 9.0.0.2, 8.2.1.3, 8.0.1.3 and earlier versions for Windows, Linux and UNIX
• BlazeDS 4.0.0 and earlier versions

Solution

Adobe recommends users update their LiveCycle Data Services, LiveCycle, and/or BlazeDS installations by applying the relevant update(s) using the instructions below:

LiveCycle Data Services

Flex Data Services 2.0.1
Prerequisite: Requires that Flex Data Services 2.0.1 is already installed.
Installation Instructions (please follow any additional instructions in the readme file included with the patch) :

1. Download the patch zip file for FDS 2.0.1, and extract the contents to your local file system.
2. Copy the files flex-messaging-common.jar and flex-messaging.jar to the /WEB-INF/lib/ directory of the Flex Data Services Web application you want to apply the hotfix to, overwriting the existing versions of these files, and then restart your server.
3. Copy the file flex-messaging-common.jar to the /lib directory of your Flex SDK. This is only necessary if you need to compile your application against a services-config.xml file with the validators configuration. It is not necessary to recompile your application to apply any of the changes that are part of this security hotfix. They are all server-side changes.

LiveCycle Data Services 2.5
Prerequisite: Requires that LiveCycle Data Services 2.5 is already installed.
Installation Instructions (please follow any additional instructions in the readme file included with the patch) :

1. Download the patch zip file for LCDS 2.5, and extract the contents to your local file system.
2. Copy the files flex-messaging-common.jar and flex-messaging.jar to the /WEB-INF/lib/ directory of the LiveCycle Data Services Web application you want to apply the hotfix to, overwriting the existing versions of these files, and then restart your server.
3. Copy the file flex-messaging-common.jar to the /lib directory of your Flex SDK. This is only necessary if you need to compile your application against a services-config.xml file with the validators configuration. It is not necessary to recompile your application to apply any of the changes that are part of this security hotfix. They are all server-side changes.

LiveCycle Data Services 2.5.1
Prerequisite: Requires that LiveCycle Data Services 2.5.1 is already installed.
Installation Instructions (please follow any additional instructions in the readme file included with the patch) :

1. Download the patch zip file for LCDS 2.5.1, and extract the contents to your local file system.
2. Copy the files flex-messaging-common.jar and flex-messaging.jar to the /WEB-INF/lib/ directory of the LiveCycle Data Services Web application you want to apply the hotfix to, overwriting the existing versions of these files, and then restart your server.
3. Copy the file flex-messaging-common.jar to the /lib directory of your Flex SDK. This is only necessary if you need to compile your application against a services-config.xml file with the validators configuration. It is not necessary to recompile your application to apply any of the changes that are part of this security hotfix. They are all server-side changes.

LiveCycle Data Services 2.6
Prerequisite: Requires that LiveCycle Data Services 2.6 is already installed.
Installation Instructions (please follow any additional instructions in the readme file included with the patch) :

1. Download the patch zip file for LCDS 2.6, and extract the contents to your local file system.
2. Copy the files flex-messaging-common.jar, flex-messaging-core.jar and flex-messaging-data.jar to the /WEB-INF/lib/ directory of the LiveCycle Data Services Web application you want to apply the hotfix to, overwriting the existing versions of these files, and then restart your server.
3. Copy the file flex-messaging-common.jar to the /lib directory of your Flex SDK. This is only necessary if you need to compile your application against a services-config.xml file with the validators configuration. It is not necessary to recompile your application to apply any of the changes that are part of this security hotfix. They are all server-side changes.

LiveCycle Data Services 2.6.1
Prerequisite: Requires that LiveCycle Data Services 2.6.1 is already installed.
Installation Instructions (please follow any additional instructions in the readme file included with the patch) :

1. Download the patch zip file for LCDS 2.6.1, and extract the contents to your local file system.
2. Copy the files flex-messaging-common.jar, flex-messaging-core.jar and flex-messaging-data.jar to the /WEB-INF/lib/ directory of the LiveCycle Data Services Web application you want to apply the hotfix to, overwriting the existing versions of these files, and then restart your server.
3. Copy the file flex-messaging-common.jar to the /lib directory of your Flex SDK. This is only necessary if you need to compile your application against a services-config.xml file with the validators configuration. It is not necessary to recompile your application to apply any of the changes that are part of this security hotfix. They are all server-side changes.

LiveCycle Data Services 3
Prerequisite: Requires that LiveCycle Data Services 3 is already installed.
Installation Instructions (please follow any additional instructions in the readme file included with the patch) :

1. Download the patch zip file for LCDS 3, and extract the contents to your local file system.
2. Copy the files flex-messaging-common.jar, flex-messaging-core.jar and flex-messaging-data.jar to the /WEB-INF/lib/ directory of the LiveCycle Data Services Web application you want to apply the hotfix to, overwriting the existing versions of these files, and then restart your server.
3. It is not necessary to recompile your application to apply any of the changes that are part of this security hotfix. They are all server-side changes.

LiveCycle Data Services 3.1
Prerequisite: Requires that LiveCycle Data Services 3.1 is already installed.
Installation Instructions (please follow any additional instructions in the readme file included with the patch) :

1. Download the patch zip file for LCDS 3.1, and extract the contents to your local file system.
2. Copy the files flex-messaging-common.jar, flex-messaging-core.jar and flex-messaging-data.jar to the /WEB-INF/lib/ directory of the LiveCycle Data Services Web application you want to apply the hotfix to, overwriting the existing versions of these files, and then restart your server.
3. It is not necessary to recompile your application to apply any of the changes that are part of this security hotfix. They are all server-side changes.

LiveCycle 9.0.0.2, 8.2.1.3 and 8.0.1.3
Download the appropriate Quick Fix for your version and respective platform/operating system of LiveCycle. Then review the Readme and follow the directions contained within to install:

LiveCycle 9.0.0.2:
Readme: QF2.111_9002

Download	Operating System	Filename	MD5	File Size
JBoss	Windows	JBoss_build_configuration.zip	c770edba242e430a22eee8965f16792f	346M
WebLogic	Windows	WebLogic_build_configuration.zip	f949c1b11af785331ff79d07d5e36597	346M
WebSphere	Windows	WebSphere_build_configuration.zip	86a9b3952c1b31e118d84a70b5c85e20	405M
JBoss	Unix	jboss_build_configuration_unix.tar.gz	7bde6fea7d69b14c6921db6e1698647c	346M
WebLogic	Unix	weblogic_build_configuration_unix.tar.gz	885ddb78ab49ba2851353b1acad833b0	346M
WebSphere	Unix	websphere_build_configuration_unix.tar.gz	6e583aaf23bff784898bb1d1f9271676	405M

LiveCycle 8.2.1.3:
Readme: QF3.134_8213

Operating System	Filename	MD5	File Size
Windows	x86_win32_build_configuration.zip	38821142e06f9550ddfacef957ce4137	238M
Linux	x86_linux_build_configuration.tar.gz	bc9e9d5719e2d2d261043fa3a9a585e8	213M
Sun OS	sunos_build_configuration.tar.gz	d71331deb3522ed663a670280b2d514d	213M
AIX	aix_build_configuration.tar.gz	4b01a13e220d8493fda3c8d1500188f0	213M

LiveCycle 8.0.1.3:
Readme: QF3.24_801

Operating System	Filename	MD5	File Size
Windows	x86_win32_build_configuration.zip	4f36c6ebdb59b3d67cf4df55c0c38bdc	274M
Linux	x86_linux_build_configuration.tar.gz	e6bb84903879929aa5a6eab5fab2dc81	249M
Sun OS	sunos_build_configuration.tar.gz	40b1dda0d6bca92b3b807cacb20ae0b0	249M
AIX	aix_build_configuration.tar.gz	678ead1d58cc3f1e57d0aed44919e4a3

BlazeDS 4.0.0
Prerequisite: Requires that BlazeDS 4.0.0 is already installed.
Installation Instructions (please follow any additional instructions in the readme file included with the patch) :

1. Download the patch zip file for BlazeDS 4.0.1, and extract the contents to your local file system.
2. Copy the files flex-messaging-common.jar and flex-messaging-core.jar to the /WEB-INF/lib/ directory of the BlazeDS Web application you want to apply the hotfix to, overwriting the existing versions of these files, and then restart your server.
3. It is not necessary to recompile your application to apply any of the changes that are part of this security hotfix. They are all server side-changes.

Note: For earlier versions of BlazeDS, it is strongly recommended that you upgrade to the latest release build of BlazeDS 4 (v4.0.0 as of June 22, 2011) and then apply the security patch by following the installation instructions above.

Severity rating

Adobe categorizes these as important updates and recommends that users apply the latest update for their product installations by following the instructions in the "Solution" section above.

Details

Two important security vulnerabilities have been identified in LiveCycle Data Services and BlazeDS. These vulnerabilities affect LiveCycle Data Services 3.1, 2.6.1, 2.5.1 and earlier versions for Windows, Macintosh and UNIX, and LiveCycle 9.0.0.2, 8.2.1.3, 8.0.1.3 and earlier versions for Windows, Linux and UNIX. These vulnerabilities also affect BlazeDS 4.0.0 and earlier versions. Adobe recommends users update their product installations using the instructions provided in the "Solution" section above.

These updates resolve an unrestricted class creation during AMF/AMFX deserialization vulnerability that poses a security risk (CVE-2011-2092).

These updates resolve a complex object graph vulnerability that could lead to a denial of service (CVE-2011-2093).

Acknowledgments

Adobe would like to thank Wouter Coekaerts (CVE-2011-2092, CVE-2011-2093) for reporting the relevant issues and for working with Adobe to help protect our customers.

Revisions

July 11, 2011 - Updated instructions to note additional instructions in readme files
June 22, 2011 - Updated the version information for updating earlier versions of BlazeDS